summaryrefslogtreecommitdiff
path: root/src
AgeCommit message (Collapse)Author
2026-06-17Merge pull request #5278 from sarthurdev/T8991Daniil Baturin
firewall: T8991: Fix IndexError with domain resolver mishandling blank lines
2026-06-17Merge pull request #5231 from natali-rs1985/T8223Viacheslav Hletenko
bgp: T8223: Prevent `advertise-all-vni` in multiple BGP VRF instances simultaneously
2026-06-17Merge pull request #5277 from c-po/can-not-cannotViacheslav Hletenko
T8923: normalize "can not" to "cannot" and other typo fixes
2026-06-17firewall: T8991: Fix IndexError with domain resolver mishandling blank linessarthurdev
2026-06-16op-mode: T8923: show-bond.py typo fix "--interface" over "--interfaces"Christian Breunig
2026-06-16template: T8923: fix typo in function argument "formater" -> "formatter"Christian Breunig
2026-06-16mtr: T8923: fix typo in function declaration "expension" -> "expansion"Christian Breunig
2026-06-16image: T8923: fix typo in variable definition "PARTITONING" -> "PARTITIONING"Christian Breunig
2026-06-16T8923: normalize "can not" to "cannot"Christian Breunig
Replace two-word "can not" / "Can not" with "cannot" across comments, ConfigError messages, CLI help text, and op-mode output. Standard SNMP MIB files under mibs/ are left unchanged.
2026-06-16T8972: VPP: sync LCP interface VRF table bindingRuslan Volodin
2026-06-15Merge pull request #5225 from indrajitr/T8165-pki-private-bundleDaniil Baturin
pki: T8165: Add ability to show certificate full chain in pem format
2026-06-15password-reset: T8985: Fix unbounded `sed` ranges corrupting other user blocksOleksandr Kuchmystyi
`sed` ranges keyed on a field name (`plaintext-password`, `encrypted-password`, `authentication {`) are not bounded to the target user's block. When the field is absent the range stays open past the user's closing brace and matches the first occurrence of that field in a later account.
2026-06-12T8980: apply exclusion mask before taking difference of treesJohn Estabrook
2026-06-12T8980: refactor functions out of config_mgmt.pyJohn Estabrook
This is no real need to have these in config_mgmt; moving to config_sync will localize needed modifications to local/remote configs for exclusion mask.
2026-06-12Merge pull request #5269 from natali-rs1985/T8953Christian Breunig
dhcpv6: T8953: Add validation for duplicate static-mapping address and prefix
2026-06-12dhcpv6: T8953: Add validation for duplicate static-mapping address and prefixNataliia Solomko
2026-06-11Merge pull request #5265 from jestabro/fix-overwrite-console-typeDaniil Baturin
T8976: explicitly remove 'kernel' entry in ttyS0 device setting on choice of 'tty' during image install
2026-06-10Merge pull request #5238 from natali-rs1985/T8930Viacheslav Hletenko
vpp: T8930: Block vif driver to prevent unhandled traceback on XCP-NG
2026-06-10Merge pull request #5262 from c-po/remote-saltViacheslav Hletenko
salt: T8973: remove feature
2026-06-09T8976: explicitly remove 'kernel' device setting on choice of 'tty'John Estabrook
2026-06-09serial: T8974: invalid check during migration system 31 -> 32Christian Breunig
Commit 35db941bcf30 ("serial: T8375: add CLI option to explicitly set kernel console") added a migration script to alter the CLI for the kernel boot console. The migrations script early exist check does not work, as the statement never evaluates to true, thus the CLI Migration for Kernel console parameter is always called, even if undesired.
2026-06-09salt: T8973: remove featureChristian Breunig
As salt has been marked deprecated via T8056 and is thus deprecated in VyOS 1.5 and VyOS 1.4 it is time to remove it from the rolling release.
2026-06-09bgp: T8223: Prevent `advertise-all-vni` in multiple BGP VRF instances ↵Nataliia Solomko
simultaneously FRR only allows one BGP instance to hold `advertise-all-vni` at a time (FRR issue #9405). When a default BGP instance is present it is always started before named VRF instances, so if a named VRF holds the flag FRR silently rejects it on every boot (regardless of default EVPN config), causing the running config to diverge from what is stored in VyOS. Enforce the following policy in verify(): - Default BGP instance may always hold `advertise-all-vni`. - A named VRF may hold it only when no default BGP instance exists. - Only one BGP instance (default or named VRF) may hold it at a time. The default BGP verify path additionally scans dependent VRFs so that adding or modifying the default BGP instance while a named VRF already holds the flag is caught even when the VRF node is not part of the current commit.
2026-06-08T8963: policy-route: trigger domain resolver for domain groupsMiaosen Wang
Signed-off-by: Miaosen Wang <secretandanon@gmail.com>
2026-06-05Merge pull request #5232 from natali-rs1985/T8936Christian Breunig
vrf: T8936: Specify `pref 1998` when deleting fwmark routing rules on VRF removal
2026-06-05dhcp-server: T8524: Validate DDNS key-name references defined tsig-keyNataliia Solomko
When a key-name is set under dynamic-dns-update forward-domain or reverse-domain, validate that the referenced TSIG key is defined under dynamic-dns-update tsig-key. Previously the missing key was only caught at runtime, causing kea-dhcp-ddns to fail to start with a fatal error. Also fix a pre-existing bug in `verify_ddns_domain` (formerly `verify_ddns_domain_servers`) where the function was called with the full tagNode dict but iterated as if it received a single domain config, causing the DNS server address check to never actually run.
2026-06-05vrf: T8936: Specify `pref 1998` when deleting fwmark routing rules on VRF ↵Nataliia Solomko
removal
2026-06-05vpp: T8913: Skip bond teardown for non-structural config changesNataliia Solomko
VPP bond teardown was triggered on every commit regardless of what changed, dropping all subinterfaces and BGP sessions even for trivial changes like descriptions or IP addresses. Only mode, hash-policy and mac_address require full recreation since VPP has no in-place update API for these; all other changes are now applied incrementally.
2026-06-04pki: T8165: Add ability to show certificate full chain in pem formatIndrajit Raychaudhuri
Add op-mode command having ability to show certificate full chain in pem format as part of PKI configuration. The certificates are ordered beginning with the end entity (leaf) certificate, followed by any intermediate certificates and finally the private key if requested. This allows users to easily export a certificate along with its CA hierarchy for use in external applications, that require the full chain to be provided in a single file. One can now run the following commands: ``` show pki ca NAME pem full-chain show pki certificate NAME pem full-chain show pki certificate NAME private pem full-chain ```
2026-06-04Merge pull request #5227 from indrajitr/dhcp-lease-time-fixChristian Breunig
dhcp: T8933: Honor system timezone for timestamp display in op mode
2026-06-04Merge pull request #5253 from alexandr-san4ez/T8346-rollingChristian Breunig
password-reset: T8346: Fix password recovery when only `plaintext-password` is set
2026-06-04Merge pull request #5195 from natali-rs1985/T8492Christian Breunig
T8492: CRL generated by VyOS PKI lacks X.509 extensions required for strongSwan validation
2026-06-04geoip: T5746: Add GeoIP ASN supportsarthurdev
2026-06-04vpp: T8930: Block vif driver to prevent unhandled traceback on XCP-NGNataliia Solomko
The `vif` driver is fundamentally incompatible with VPP — no DPDK poll-mode driver exists for Xen paravirtual interfaces and no PCI address is exposed, so `allow-unsupported-nics` cannot rescue it either.
2026-06-04password-reset: T8346: Fix password recovery when only `plaintext-password` ↵Oleksandr Kuchmystyi
is set When a user account was provisioned with only `plaintext-password` (e.g. via cloud-init), the password recovery tool failed to persist the new password across reboots. On the next boot, VyOS would re-apply the `plaintext-password` from config.boot, silently overwriting the recovered encrypted password.
2026-06-03vyos-netlinkd: T8950: track per-interface operstate to suppress UP-to-UP ↵Robert Navarro
DHCP restarts _handle_dhcp_events() restarts dhclient/dhcp6c on every RTM_NEWLINK that carries operstate=UP, regardless of whether the interface was already UP. Normal kernel events that re-notify UP without a preceding DOWN (e.g. post-migration gratuitous-ARP, promiscuous-mode toggles) trigger unnecessary DHCP restarts. Each restart also creates a feedback loop: dhclient-script runs "ip link set dev <if> up" during PREINIT, which emits another RTM_NEWLINK(UP), which triggers another restart. One seed event becomes 10+ restarts in 15 seconds. Add a module-level dict tracking the last observed operstate per interface. Only proceed with the DHCP restart when the transition is DOWN-to-UP or when no previous state is recorded (first boot / service restart). UP-to-UP re-notifications are suppressed with a LOG_DEBUG message. Validated on a production VyOS 2026.05.26-1327-rolling router: a controlled KVM live migration after the patch produced zero DHCP restarts (all UP-to-UP events suppressed), with no impact on normal DOWN-to-UP DHCP recovery.
2026-06-03Merge pull request #5213 from alexandr-san4ez/T8308-currentDaniil Baturin
conntrack: T8308: Add per-flow counters and VRF filter to conntrack table
2026-05-29dhcp: T8941: Apply guards for empty or missing mapping keysIndrajit Raychaudhuri
2026-05-29dhcp: T8941: Add missing `hostname` as valid sort keyIndrajit Raychaudhuri
Add `hostname` as a valid sort key for both DHCPv4 and DHCPv6 leases and static mappings.
2026-05-29dhcp: T8933: Honor system timezone for timestamp display in op modeIndrajit Raychaudhuri
The time displayed in DHCP v4/v6 server lease op-mode commands should honor system timezone and not force UTC timezone. This would keep the timestamps in the output of `show log dhcp server` or `show log dhcpv6 server` consistent with the timestamps in the output of `show dhcp server leases` or `show dhcpv6 server leases` commands.
2026-05-28Merge pull request #5109 from statio/fix/vrf-aware-port-checkDaniil Baturin
T8454: fix VRF-bind port availability check in service_https
2026-05-28Merge pull request #5169 from jestabro/exclusive-mask-config-syncJohn Estabrook
T8502: Add exclusion mask to config-sync
2026-05-28T8916: add simple nosetest for subtree_from_partial utilityJohn Estabrook
2026-05-28T8502: add util for updating config-sync-exclude.jsonJohn Estabrook
2026-05-28T8502: add client support for config-sync excluded pathsJohn Estabrook
2026-05-28T8502: add server support for config-sync excluded pathsJohn Estabrook
2026-05-28Merge pull request #5074 from vyos/fix/bare-except-clausesViacheslav Hletenko
python: T8857: replace bare except clauses with except Exception in config scripts
2026-05-27T8454: fix VRF-bind port availability check in service_httpsLee Clements
When service https is configured with a listen-address on a VRF interface, adding or changing the vrf option causes the commit to fail with "TCP port 443 is used by another service!" even though no conflict exists. Root cause: check_port_availability() performs a socket.bind() in the default network namespace. When the listen-address belongs to a VRF interface the address is unreachable from the default namespace, so the bind fails with OSError which is misinterpreted as "port in use". The secondary check via is_listen_port_bind_service() also fails because psutil cannot see sockets bound inside a VRF. Fix: add an optional vrf parameter to check_port_availability(). When set, the test socket is bound to the VRF master device via SO_BINDTODEVICE before the bind() call, so that the address is resolved in the correct L3 domain. This is done in-process (no subprocess) and works for both IPv4 and IPv6. service_https verify() now passes the configured VRF (if any) to check_port_availability(). Non-VRF configurations are unaffected. Add smoke test for HTTPS with listen-address inside a VRF. Co-authored-by: Christian Breunig <christian@breunig.cc>
2026-05-27Merge pull request #5208 from alexandr-san4ez/T8538-currentChristian Breunig
snmp: T8538: Persist engineBoots counter across reboots
2026-05-27ipsec: T8912: Fix log level not respected in system journalOleksandr Kuchmystyi
When setting 'vpn ipsec logging log-level 0', DPD informational messages (log level 1) were still appearing in the system journal. The root cause is that charon-systemd reads both `charon-systemd.conf` and `charon-logging.conf` and applies the higher of the two log levels to the journal. The VyOS only managed `charon-systemd.conf`, leaving `charon-logging.conf` at its default level of 1, which silently overrode the user-configured level. Fix this by rendering `charon-logging.conf` on every commit with syslog backend set to -1 (silent), making `charon-systemd.conf` the sole authoritative source for journal log verbosity. This also eliminates duplicate log entries in the journal that occurred when both backends were active and writing to the same destination.